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Abstract. We revisit Schnorr's lattice-based integer factorization algorithm, 
now with an effective point of view. We present effective versions of Theorem 2 
of as well as new properties of the Prime Number Lattice bases of Schnorr 
and Adleman. 
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1. Introduction 

Let N > 1 be a composite integer that we want to factor. The congruence of 
squares method consists of finding x, y € Z such that 

(1) x 2 = y 2 mod N 

with x ^ ±y mod N, and factor N by computing gcd(x + y, N). Although this is a 
heuristic method, it works pretty well in practice and one can show under reasonable 
hypotheses (see [21 page 268, remark (5)]) that for random x,y satisfying (JTJ, one 
has x ee; ±y mod N with probability > 1/2. This report considers an algorithm 
based on this philosophy, namely Schnorr's algorithm [11| . whose outline is given 
in figure [T] 

Call _B-smooth an integer free of prime factors > B, and let pi be the i-th prime 
number. Fix some d > 1 and suppose that N is free of prime factors < pd- The 
core computational task of the algorithm consists in finding d + 2 integer quartets 
(u, v,k, 7), with u, v pd-smooth, k coprime with A, and 7 € N\ {0}, solutions of 
the Diophantine equation 

(2) u = v + feAT. 
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(1) Receive input number N to be factored. 

(2) Set the dimension d and the constant C of the lattice S p (d,C), and form 
the extended prime number list V — {po,pi, . . . ,pj} where po — — 1 and 
the rest is the usual sequence of the first d prime numbers. Perform trial 
division of N by the primes of V. If N is factored, return the factor. 

(3) Using the lattice described in section [21 construct a list of at least d + 2 
pairs (ttj, ki) G N x Z such that Ui is p^-smooth with 

d 

Ui = \\p1*'\ a i>0 = 0, 

i=0 

and 

\ui - hN\ < p d . 

(4) Factorize Ui — kiN, for i £ [1, d+ 2] over to obtain 

d 

U, /••-.v ![//' . 

i=0 

(5) Put sn = (a it0 , ■ ■ ■ , a fl d) and b l = (6 i)0 , . . . , b it d)- 

(6) For every nonzero c = (c\, . . . , Cd+i) € {0, solution of 

d+l 

Cj(aj + bj) =0 mod 2 

do 

(a) Put 

3=1 

and 

d+2 

f = Y[pf^ Ciai:i mod iV. 

3=1 

(b) If a; ^ ±y mod N then return gcd(x + y, N) and stop. 



Figure 1. Outline of Schnorr's algorithm 



By design, Schnorr's algorithm is only able to find solutions where k is p^-smooth 
and 7 = 1 (Adleman's variant can yield, in principle, solutions with 7 > 1). We 
look for pairs (it, k) of p^-smooth numbers satisfying the inequality 

(3) \u - kN\ < p d , 

and we build solutions out of these pairs by setting v = u — kN: the inequality 
guarantees the p^-smoothness of v. This search is lattice-based, and it involves 
lattice reduction and lattice enumeration algorithms. 

Although in 1987 de Weger [4] had already applied lattice reduction to the ef- 
fective resolution of Diophantine equations of the form ©, it was Schnorr who 
first applied it to factorization, in 1993 [TT]. In 1995, Adleman [1 used Schnorr's 
approach to propose a reduction (not completely proved) from integer factorization 
to the search of a shortest nonzero vector in a lattice. Schnorr's algorithm was 
successfully implemented by Ritter and Rossner in 1997 |10| . 

In this report, we improve a result of |11) by recycling a result of Micciancio 
[21 Prop. 5.10]. This result may be useful (cf. remark 0]) to show the existence of 
solutions to (J2J). In addition, we provide explicit computations of the volumes and 
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the Gram-Schmidt Orthogonalizations of the involved lattices and lattice bases, 
respectively. 

The road map is the following. First, in section [2j we introduce the lattice 
framework of Adleman, and we explain how can we solve the Diophantine equation 
@ by searching short vectors in Adleman's lattice. Later in the same section, we 
explain the original approach of Schnorr, by particularizing Adleman's approach. 
Afterwards, in section [3] we give some properties of the Prime Number Lattices 
of Schnorr and Adleman. Finally, in section 01 we provide our conclusions and 
perspectives. 

2. Detecting solutions 

In this section we present the approaches of Adleman and Schnorr to solving ([2]) 
using lattices. We start by the approach of Adleman, which considers a search for 
short vectors. We show a sufficient condition to solving inequality @. Then we 
present the approach of Schnorr, which considers a search for close vectors, and 
which can be seen as a particular case of Adleman's. We show a corresponding 
sufficient condition to solving (j3|). 

2.1. Coding a candidate solution. Let z e Z d+1 be a vector with negative last 
coordinate. To this vector we associate a candidate solution to ([2]) in the following 

way 



(4) u= Y[ P?> k = II P* Z ' and 7=Nrf+i|- 

Zi>0,i<d Zi<0,i<d 

Note that u and k are coprime. We would like to have candidate solutions providing 
an actual solution with high probability, that is, we want v = u—kN 1 to be probably 
Pd-smooth. Now we will describe a way to find such candidate solutions. 

2.2. Making smoothness probable : the Prime Number Lattice of Adle- 
man. Define Adleman's p-norm Prime Number Lattice A p by the columns of the 
basis matrix 





VhTpT 




Clnpi 






^h7^ 

••• C\np d ClnN 



where C > is an arbitrary constant, which can depend on N. The vector z g 1 d+1 

satisfies 

z\ ^lnpi 

ApZ 



z d -^ln p d 



and 



\A p z\\; = J2\z t \r0^p7 + Cr 



^Zilnpi - \z d+1 \lnN 



i.=i 



and considering that this vector codes a candidate solution, we have 

d 

\\A p z\\p = J2 N P l*Pi + C p \ \nu- ki(kN"<)\ p 



i=l 



and hence 



|Aiz||i =lnu + lnfc + C7|lnu-ln(/c7V 7 )|. 
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We have the following theorem in the case of the l-norm. 

Theorem 1. Let C > 1 and z € iwi/i 7 = and z^+i < 0. Then, 

whenever 



Proof. Just use lemma Q] (in the appendix) with e — 21nC + 2<jlnpd — 7-lniV. □ 

Remark 1. The requirement z^+i < is just needed to obtain a valid candidate 
solution. It does not reduce the space of solutions in any way, since a lattice is 
an additive group: for each vector of nonzero last coordinate, either itself or its 
opposite will have a strictly negative last coordinate. 

Remark 2. When a = 1 and z satisfies ([5]), we necessarily have a solution to the 
original equation In addition, when a > 1 is not too big, we can be quite 
optimistic about the p^-smoothness of v = it — kN 1 ', and hence on obtaining a 
solution too. 

Remark 3. In order to factor N, one will typically search for (short) vectors A±z 
satisfying ^ for some a not too big, and then reconstruct from z the candidate 
solution to ©, testing afterwards if it really constitutes a solution. In that case, 
the solution is stored, until we collect d + 2 of them. 

Remark 4. Together with some extra knowledge on the properties of 7 for z satisfy- 
ing ([5]) (see remark[6]), theorem Q] could be useful to prove the existence of solutions 
to inequality ([3]) and hence to equation @, since we have explicit estimates on 
the length of a short nonzero vector of Ai, thanks to Minkowski's theorem for the 
l-norm. See Siegel |T3] Theorem 14]. 

Remark 5. Obtaining an analog of theorem []] for the Euclidean norm could be very 
useful, since this norm has better properties and it is the usual norm for lattice 
algorithms. 

2.3. A similar approach : the Prime Number Lattice of Schnorr. The 

Prime Number Lattice of Schnorr S p is generated by the columns of the basis 
matrix 



(5) 



||Aiz||i < 21nC + 2o-lnp d -7-lnjV, 



we have 



\u-kN~<\<p a d . 











(6) 






Cm pi 







Chip d 







The vector 







(7) 



t = 





ClniV 



is the target vector of a close vector search in S p , which replaces the short vector 
search of Adlcman's approach. Schnorr's algorithm considers vectors z £ Z d , to 
which it associates the candidate solution (u, k, 7) to (J3J with u and k defined 
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exactly as in and 7=1. We have 



z d vEpd 



and hence 



\S p z-t\\ p p = J2\ z i\ P ^Pi + CP 



z % In pj - In AT 



The following theorem is the analog of theorem [T] 

Theorem 2. Let C > 1 and z g Z rf . Hence, if 

(8) ||Siz-t||i < 21nC + 2crlnp d -In AT, 

Proof. Just use lemma [2] with e = 2 In C + 2a In p<j — In AT. 



□ 



Remark 6. In order to factor AT, we should look for vectors of Si close to t. The 
main idea is that vectors satisfying ((HJ for some a > 1 not too big are more likely to 
provide candidate solutions which in turn will provide solutions to ([2"]l, Adleman's 
approach has the apparent advantage of having a larger search space, hence having a 
greater potential for finding solutions. In practice, this seems to be a disadvantage, 
since the solutions to seem to be exactly those coming from Schnorr's approach 
too. Hence, in Adleman's approach one seems to search for many candidates that 
do not provide solutions. This could be related to the fact that the target vector 
t does not belong to the real span of Si : if the component of t in the orthogonal 
complement of the span of Si is sufficiently big, any short vector in Adleman's 
lattice Ai having nonzero last coordinate must have a last coordinate of absolute 
value equal to 1, hence leading to the same solutions as Schnorr's lattice (see 
Chapter 4, Lemma 4.1] for a related discussion). 

Remark 7. A great algorithmic advantage of the approach of Schnorr over that 
of Adleman is that the choice of the basis can be essentially independent of the 
number N. For example, this will be the case if C depends only on the size of N. 
This has the very important implication of allowing a precomputation on the basis 
(for example an HKZ reduction) valid for all numbers of some fixed size. 

Remark 8. Proving the existence of solutions to ([5]) seems harder in this case, since 
one needs a bound on the covering radius, which is less well understood than the 
first minimum. 

Remark 9. Just as in the case of Adleman, obtaining an analog of theorem [5] for 
the Euclidean norm could be very useful. First attempts at finding this analog were 
stopped by involved computations. 



3. Some properties of the Prime Number Lattices 



We present some useful computations which extend those given by Micciancio 
and Goldwasser [31 Chapter 5, section 2.3]. 
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3.1. Volumes of the Prime Number Lattices. Here we provide closed forms 
for the volumes of the p-norm Schnorr and Adleman lattices. This generalizes 
Proposition 5.9 of [9], which considers only p = 2. 

Remark 10. Recall that the volume of the lattice generated by the columns of a 
(not necessarily full rank) basis matrix B is 



vol(£(B)) = ^/|det(EF.B)|, 
which is exactly det(B) when B has full rank. 

Theorem 3. The volume of the p-norm Adleman lattice A p , whose basis is 

^pl 




o •• 
^p~ d 
Clnpi ••• C\np d C\nN 



is given by 



vol(Ap) = ClniV ■ Y[ V^Pi- 

i=l 

Furthermore, the volume of the p-norm Schnorr lattice S p , whose basis is 

VhTpT 



S p = 



o '•• 

v / hT^ 
Chxpi ■■■ C\np d 



is given by 



vol(Sp) 



\ 



1 + C" £(lnj),) 2 - 2 'P ■ I] VkJi 



»=i 



Proof. The case of A p is trivial, as the basis matrix is lower triangular. Let us 
consider the case of S p . It is easy to see that the volume of S p is a multilinear 
function of the columns of S p . Hence, factoring out -{/In pt , i G [1, d\ from the i-th 
column, we obtain 



vol(5 p ) = J\ det(SjS p )| = ^1 det(SjS p )| ■ J] i/h^, 



i=l 



where S p is of the form (jll[) (see lemma [3] in the appendix) with 

x i = C-{lnp i ) 1 - 1 /P. 

Lemma |3] implies that 



det(SjS p )| = 



\ 



\ 



l + C 2 ^(ln Pl ) 2 - 2/p , 

8=1 



which concludes the proof. 



□ 
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3.2. Explicit Gram-Schmidt Orthogonalization. Here we give explicit expres- 
sions for the coefficients of the Gram-Schmidt Orthogonalization (GSO) of the set 
{bi, . . . , hd, t} of columns of S p , augmented by the target vector t (or, equivalcntly, 
of the set of columns of A p ). 

Theorem 4. Consider the columns {hi}f =1 of Schnorr's Prime Number Lattice 
basis as well as the target vector t defined in ^7ty. The Gram- Schmidt Orthog- 
onalization of {hi, . . . ,b(2,t} involves the quantities 



3 
i=l 



and is given by 



C 2 lnpfcQnpQ 1 - 1 /? 



i < k 



and 



(bjE)i = 



(t*)< 



(lnpfc) 1 ^ i = k 

k < i < d + 

i = d+l 

i < d + 1 
i = d+l 



■Dfc-l 



C 2 (ln jV)(lnp, 



Dd 
C(lnJV) 



The corresponding Euclidean norms satisfy 



Ibfelb - V^Pk) /F 7^ ||t || 2 



£> fc _ x 11 nz D d 

Furthermore, the projection t on the span of {bi, . . . , by}, which is the effective 
target vector for the close vector search of Schnorr's algorithm, is given by 



(t - t*)i = 



C'OnJOOnpO 1 - 1 '' l<d+l 

C(1 " jV ^- 1) z = 



Proof. The matrix having {bi, . . . , b^, t} as columns is of the form (|T2"j) (see lemma 
|4]in the appendix) with 



Xi = "s/lnpi, Vi = C ■ \sxpi 1 < i < d, 

and 

y d+x =C\nN. 

Hence, using lemma 21 we directly obtain the theorem. □ 

Remark 11. The explicit value of | |t*| |a can be used to better understand the search 
for close vectors of Schnorr's algorithm. This is a consequence of the fact that t 
does not belong to the span of {bi, . . . , b^}. 

4. Conclusions and perspectives 

Using an idea of Micciancio, we presented partial but rigorous results advancing 
towards an effective reduction from factorization to the search of short or close 
lattice vectors in the Prime Number Lattice of Adleman or Schnorr, respectively. 
These results, valid only for the 1-norm, improve over those of Schnorr |11[ Theorem 
2] by getting rid of asymptotically vanishing terms. Proving similar results for the 
Euclidean norm may be very useful, since it has much better properties than the 
1-norm and it is the natural choice for lattice algorithm^. 



1 Although recently, in 1 1 21 Theorem 2], Schnorr restated 1111 Theorem 2] in the context of the 
Euclidean norm, this is essentially a generic restatement valid for every p-norm, p > 1, which still 
involves asymptotic terms. 
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Furthermore, we provided new properties of the Prime Number Lattices and 
their usual bases (in p-norm, p > 1), extending those of Micciancio |H Chapter 5, 
Section 2.3]. These properties could be useful to better understand the close vector 
search which takes place at the core of Schnorr's algorithm. 

The next step of this work is to understand the distribution of lattice elements 
providing solutions to ([3]) or even ©, in order to choose on a well-grounded basis 
between enumeration algorithms ([3 [5]) and random sampling algorithms ([B], [5]), 
in the context of an effective implementation. 

4.1. Acknowledgements. Thanks to Damien Stehle for regular discussions and 
encouragement, as well as for many pointers to the relevant literature. Thanks to 
Guillaume Hanrot for useful discussions. 
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Appendix A. Underlying lemmas 

A.l. Lemmas used in section [2j The following two lemmas are elementary gen- 
eralizations of a result of Micciancio [9l Prop. 5.10]. 

Lemma 1. Let C > 1 and let z £ have negative last coordinate of module 

7 = \zd+i\ > I, satisfying 

HAxzHi <e. 

Hence, we have 

\u-kN^\< — -e*p(-). 

Proof. The proof is essentially the same of Proposition 5.10 of [5J. We maximize 
\u — kN 1 ] subject to the constraint 

(9) ||Aiz||i<e. 
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Since 

||Aiz||i = lnu + hifc + C|hiu-ln(£;7V 7 )|, 

the constraint © is symmetric in u and fcTV 7 , and we can suppose without loss of 
generality that u > kN J . Now, the constraint ([9]) can be rewritten as 

(C + l) • law - (C- 1) ■ In A; < £ + C7 • In TV, 

which implies 

, c- 1 -, T 9~i ( £ 

u < k 1 ^ • iV^+r • exp [ 



c + i, 

Replacing this maximal value for u in the objective function we get 
(10) fcfer . ]\[~Stt . exp (^^j ~ kN ~* ■ 

Now, we optimize this last expression as a function of k. Differentiating (|10[) with 
respect to k we obtain 

( ' 1 ATctt . iV^Fr . exp ( £_ ) _ AH 



v c+iy "vc + i 

and hence the maximum is reached in the point 

C-l\ 2 Ar t /£ 

The maximum of the original function is hence 



C-l 

c-r 



■N* ■ 



1 ■ exp (|) 



and afl 



C+l/ r V2/ VC+1 



C-l 

C-l\~ ( 2 \ 1 



C + l / VC + 1/ " C 



for C > 1, we conclude that 



iV 2 / £\ 

\u-kW\<— -exp^-J, 
as wished. □ 



Lemma 2. Lei C > 1 and Zei z £ Z d satisfying 

||Siz — t||i < £ 

Hence, 



viv /e\ 
|w - fcJV| < — • exp (-J . 

Proof. Just take 7 = 1 in the proof of lemma [1] □ 



2 When x > 1, the function /(x) = ^^q^x) 2 f J+i j ' s monotonically decreasing, with 
/(0+) = l. 
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A. 2. Lemmas used in section [3j The following are general lemmas, maybe of 
independent interest. Lemma0]could find an application in the context of knapsack 
lattice bases. 

Lemma 3. The volume of the lattice C generated by the columns of the matrix 

10 
10 



(11) 



satisfies 



o •• 

1 

xi x 2 ■■ ■ x d 



vol(£) = Jdet(B T B) = 



\ 



Proof. We use Sylvester's determinant theorem (see for example [5]), which states 
that for every A G W mxn and B £ W lXm , 

det(I m + AB) = det(I„ + BA), 

where Ik is the k x k identity matrix. Writing the matrix B by blocks, and com- 
puting the associated Gram matrix, we obtain 



B 



Id 



B T B = Li + x x T , 
and hence, using Sylvester's theorem, 

d 

vol(£) 2 = det(B T B) = det(Lj + x • x T ) = det(Ii + x T • x) = 1 + ^ : 



as wished. 



□ 



Lemma 4. The Gram-Schmidt Orthogonalization of the columns {vi, . . . , v^+i} 
of a nonsingular square matrix 

xi 
x 2 

(12) '■• 

x d 
yi V2 ■■■ ya yd+i 

can be specified in function of its entries and the quantities 

j / \ 2 



—Eft)' 

I— 1 v 7 



1 < 3 < d, K = l, 



by 



(13) 



Vk 

Xk 



Vk 



i < k 
i = k 



K k - 



k < i < d + 1 
i = d + 1 



for k < d, and by the same expression considering only the i < k and i = d + 1 
cases, when k = d + 1. The Euclidean norms satisfy 



(14) 



*||2 2 K k 



/ d+il 



Vd+i 
K d ' 
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and the Gram-Schmidt coefficients are 

(15) /n,, l<j<fc<d + l. 

Proof. The proof of (|13p is carried out by induction. The result is clearly true for 
k = 1. Suppose that it holds for v*, . . . , v^-i for some k E [2, d + lj. Let us show 
that it still holds for v£. First, observe that for 1 < j < k < d + 1, 



Vfc • v* = (v fc )d+i • (v*) d +i = Vk-rr— 

and 




Now, let i € [1, k — 1]. By the definition of the Gram-Schmidt process, we have 

fc-i 

(Vfe)i = (v*)<-53/i fclJ --(vJ)< 

fe-i 

= O-^/Xfcj- (v*)* 

fc-1 

= -Mfc,i ' (v*)i - 51 ^ ■ K)« 

2=»+l 




Z/fc ( w\ 
K k -i \XiJ 
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as we wanted. Now, when i = k < d, 

k-1 

K) fc = (vfc) fc ■ (-Vj)h 

3=1 
k-1 

= x k - ^ t lk d ' 

3=1 

= Xk, 

as we wanted. When k < i < d, we have 

fe-i 

(v£)i = (vA,)i-53Mfcj'( v j)< 

3=1 

fc-1 
3=1 

= 

as wished. Finally, when i = d + 1 we obtain, for every k £ [2, d+ 1], 

fc-i 

(vfc)d+i = (v fc )d+i - E^-J ' ( v i W 

3=1 



fc-i / \ 

VkVj \ I Vj 



E 



W 1 E 



fe-l / x 2 -, 
%\ 1 



3=1 



Vk (l-(^r- 



K K k - t 



Vk 



K k -i 

since K$ = 1. Hence, (|T5)) is proved, both in the 1 < k < d and the = d+1 cases, 
as specified in the statement of the lemma. As a consequence of the computations 
preceding (ITB1) . properties and (IT51) are also proved, except for the Euclidean 
norm of v^ +1 , which is given by 

\ 2 / d / \ 2\ 2 



^d+l 1 12 



K a J \ r-~f \XiJ K d 
The proof of the lemma is now complete. □ 



